How to Perform a Microsoft 365 Security Audit

Quick Answer: A Microsoft 365 security audit systematically reviews six domains: identity & access management, email security, data protection, endpoint security, compliance configuration, and audit log analysis. Start with your Microsoft Secure Score (security.microsoft.com) — the average enterprise scores 35-50% while EPC Group targets 75%+ for regulated industries. The highest-impact actions are typically: enforce MFA for all users, block legacy authentication, configure DLP policies for sensitive data, and restrict external sharing. A comprehensive audit takes 2-3 weeks and produces a prioritized remediation roadmap.

Every Microsoft 365 tenant is a potential target. With over 400 million paid seats worldwide, M365 is the most-attacked enterprise platform on Earth. Attackers know that a single compromised account — especially one without MFA — can yield access to email, SharePoint, Teams, and OneDrive data across the entire organization.

Yet most organizations have never conducted a formal security audit of their Microsoft 365 environment. They rely on default settings, assume MFA is universally enforced (it often is not), and do not realize that their audit logs expire after 90 days — making forensic investigation impossible for incidents discovered more than three months after the fact.

EPC Group has audited Microsoft 365 environments for Fortune 500 organizations across healthcare, financial services, and government. This checklist is the same methodology our security consultants use — adapted for IT teams who want to conduct their own assessment or prepare for a professional engagement.

Why Regular Security Audits Matter

Microsoft 365 environments drift from secure baselines over time. New users are provisioned, Conditional Access exclusions accumulate, applications are integrated, and settings are changed without documentation. Without periodic audits, security gaps compound silently.

60%

of enterprise M365 tenants have at least one admin account without MFA

45%

have more Global Admins than recommended (2-4 maximum)

55%

have no DLP policies protecting sensitive data types

40%

still allow legacy authentication protocols that bypass MFA

Pre-Audit Preparation

Before starting the audit, gather the following information and access. Incomplete preparation is the number one cause of delayed or incomplete security audits.

Pre-Audit Checklist

Global Admin or Security Admin access to the tenant

List of all licensed users and their assigned roles

Inventory of Conditional Access policies (export from Entra admin center)

Current Microsoft Secure Score screenshot

List of all registered applications and enterprise apps

Documentation of any previous security assessments or penetration tests

Regulatory requirements applicable to the organization (HIPAA, SOC 2, CMMC, etc.)

List of known exceptions and compensating controls

Network architecture diagram showing M365 integration points

Incident history — any security incidents in the past 12 months

Identity & Access Review

Priority: Critical

Verify MFA is enforced for 100% of users via Conditional Access (not per-user MFA or security defaults)

Confirm legacy authentication protocols are blocked (Basic Auth, IMAP, POP3, SMTP AUTH)

Audit Conditional Access policies — check for overly broad exclusions or missing policies

Review privileged accounts — count Global Admins (should be 2-4 max), verify PIM is enabled

Check break-glass emergency access accounts exist with documented recovery procedures

Audit guest/external user accounts — remove stale guests, verify access reviews are configured

Review application registrations and enterprise apps — remove unused, check permissions granted

Verify password policies — ban common passwords, enable self-service password reset with MFA

Check sign-in risk policies — block or require MFA for high-risk sign-ins (Entra ID P2)

10.

Review session management — token lifetime policies, continuous access evaluation (CAE) status

Email Security Review

Priority: Critical

Verify SPF, DKIM, and DMARC records are configured correctly for all sending domains

Review Exchange Online Protection (EOP) anti-phishing policies — impersonation protection for executives

Check Defender for Office 365 Safe Links and Safe Attachments policies are enabled

Audit mail flow rules (transport rules) — look for rules forwarding mail externally

Review mailbox forwarding rules — check for unauthorized auto-forwarding to external addresses

Verify anti-spam policies — check quarantine settings, allow/block lists, and bulk mail thresholds

Check shared mailbox security — disable direct logon, audit delegated access

Review email authentication failures — DMARC aggregate reports for spoofing attempts

Data Protection Review

Priority: High

Audit DLP policies — verify policies exist for PII, PHI (if healthcare), PCI (if processing payments)

Review sensitivity labels — check label taxonomy, auto-labeling rules, and label adoption metrics

Check SharePoint external sharing settings per site collection — identify overly permissive sites

Review OneDrive external sharing tenant-level settings — recommend "Existing guests only" minimum

Audit Microsoft Teams external access and guest policies — federation settings, guest permissions

Verify Information Rights Management (IRM) / Azure Information Protection encryption policies

Check for overshared content — sites or files shared with "Everyone except external users"

Review Microsoft Copilot data access — verify Copilot respects permissions and sensitivity labels

Endpoint Security Review

Priority: High

Verify Defender for Endpoint enrollment — all managed devices should report to Defender portal

Review device compliance policies — require encryption, minimum OS version, up-to-date antivirus

Check Conditional Access device compliance requirements — block non-compliant device access

Audit Intune application protection policies — MAM policies for BYOD scenarios

Review attack surface reduction (ASR) rules — block Office macro execution, credential stealing

Check automated investigation and response (AIR) settings in Defender for Endpoint

Verify endpoint DLP policies — block or audit sensitive data copies to USB, cloud storage, printing

Compliance Review

Priority: High

Verify retention policies cover all workloads — Exchange, SharePoint, OneDrive, Teams, Yammer

Check retention labels and label policies — auto-apply rules based on content type or keywords

Review eDiscovery readiness — verify legal hold procedures, custodian management, search capability

Audit Communication Compliance policies — offensive language, regulatory compliance, conflict of interest

Check Information Barriers — verify barriers between restricted departments (if applicable)

Review Compliance Manager score — identify high-impact assessment actions to improve compliance posture

Verify data residency requirements — confirm data is stored in expected geographic regions

Audit Log Analysis

Priority: Medium

Confirm unified audit logging is enabled (verify: Search-UnifiedAuditLog PowerShell command returns results)

Verify audit log retention period — 90 days (E3), 1 year (E5), or 10-year retention policy configured

Search for suspicious activities: impossible travel, mass file downloads, bulk user creation

Review admin activity logs — Global Admin actions, role assignments, policy changes

Check mailbox audit logging — verify it captures MailItemsAccessed, Send, SendAs operations

Review Azure AD sign-in logs — failed authentication patterns, unusual locations, risky sign-ins

Verify SIEM integration — audit logs feeding into Sentinel, Splunk, or other SIEM for correlation

Secure Score Assessment

Microsoft Secure Score provides a quantified security posture measurement. It should be both your starting point and your progress tracker throughout the remediation process.

0-30%

Critical Risk

Basic security controls missing. MFA likely not enforced, legacy auth probably enabled, minimal DLP. Immediate remediation required.

30-60%

Moderate Risk

Some controls in place but significant gaps. Common at organizations that deployed M365 without security planning. Most enterprises land here.

60-80%

Good Posture

Strong security fundamentals. Fine-tuning needed in specific areas. EPC Group target for regulated industry clients is 75%+.

Action Plan: Export your Secure Score recommendations, sort by "Score impact" (highest first), and categorize each action by implementation effort (Quick Win, Planned, Major Project). Quick Wins (high impact, low effort) should be remediated within 1 week. Planned items within 30 days. Major Projects within 90 days. EPC Group provides this prioritized roadmap as the primary deliverable of every security audit engagement.

Remediation Prioritization Framework

Not all findings carry equal risk. Use this framework to prioritize remediation based on exploitability, business impact, and implementation effort.

P0 — Immediate (24-48 hours)

MFA not enforced for admin accounts
Legacy authentication enabled
Unauthorized mail forwarding rules to external domains
Global Admin accounts without PIM activation
Active security incidents detected in audit logs

P1 — Urgent (1-2 weeks)

MFA not enforced for all standard users
No DLP policies for regulated data (PII, PHI)
External sharing set to "Anyone" on sensitive SharePoint sites
Audit log retention below regulatory requirements
More than 4 Global Admin accounts active

P2 — Important (30 days)

Conditional Access policies missing device compliance requirements
Anti-phishing policies not configured beyond defaults
Sensitivity labels not deployed or not adopted
Guest access reviews not configured in Entra ID Governance
Defender for Endpoint not enrolled on all managed devices

P3 — Planned (90 days)

Advanced threat protection fine-tuning
Communication compliance policies deployment
Information barriers between restricted departments
Full Compliance Manager assessment completion
SIEM integration for real-time security monitoring

Audit Report Template

A well-structured audit report is the deliverable that drives action. Here is the report structure EPC Group uses for enterprise Microsoft 365 security audits.

1. Executive Summary

Overall risk rating (Critical/High/Medium/Low), current Secure Score, top 5 findings, recommended immediate actions. One page maximum — this is for CISOs and executives.

2. Scope & Methodology

Tenants audited, services in scope, date range, tools used (Defender portal, Entra admin center, PowerShell, third-party scanners), frameworks applied (CIS Microsoft 365 Benchmarks, NIST CSF).

3. Identity & Access Findings

MFA coverage percentage, Conditional Access policy analysis, privileged account inventory, guest access review, application permissions audit. Each finding includes: current state, recommended state, risk rating, evidence.

4. Email Security Findings

DMARC/DKIM/SPF status, anti-phishing policy effectiveness, mail flow rule review, mailbox forwarding audit. Include DMARC aggregate report analysis if available.

5. Data Protection Findings

DLP policy inventory and gap analysis, sensitivity label adoption metrics, external sharing configuration per site, Teams guest access review. Map findings to regulatory requirements.

6. Endpoint & Compliance Findings

Defender enrollment coverage, device compliance statistics, retention policy coverage, eDiscovery readiness assessment, audit log configuration and retention status.

7. Remediation Roadmap

Prioritized actions (P0 through P3) with estimated effort (hours), responsible team, and target completion date. Include dependencies — some fixes require others to be completed first.

8. Appendices

Raw Secure Score export, Conditional Access policy JSON exports, PowerShell audit scripts used, full user/role inventory, application permissions matrix.

Ongoing Monitoring: Beyond the Audit

A security audit is a point-in-time assessment. Without ongoing monitoring, your security posture degrades as changes accumulate. Here is the monitoring framework EPC Group implements post-audit.

Daily Automated Alerts

Impossible travel sign-in detections
New Global Admin role assignments
Mass file download events (500+ files)
New mail forwarding rules to external domains
DLP policy violation spikes

Weekly Reviews

Secure Score trend — is it improving or declining?
New Conditional Access policy changes
Guest user access review queue
Failed sign-in attempt patterns
Application consent grants

Monthly Reports

MFA coverage percentage trend
DLP incident summary and response metrics
Endpoint compliance percentage
Storage and sharing trend analysis
Audit log retention verification

Quarterly Deep Dives

Full Conditional Access policy review
Application permissions re-certification
External sharing configuration validation
Retention policy effectiveness review
Penetration test or phishing simulation

Related Resources

Microsoft 365 Consulting Services

Enterprise Microsoft 365 deployment, governance, security, and optimization from EPC Group.

Microsoft 365 Security Hardening Checklist

Step-by-step security hardening guide for Microsoft 365 enterprise tenants.

Zero Trust Security Guide

Implementing Zero Trust architecture across the Microsoft ecosystem for enterprise.

How do you perform a Microsoft 365 security audit?

A Microsoft 365 security audit follows a structured methodology: 1) Pre-audit preparation — define scope, gather admin credentials, document current policies, 2) Identity & access review — MFA enforcement, Conditional Access policies, privileged accounts, guest access, 3) Email security — anti-phishing, anti-malware, DMARC/DKIM/SPF configuration, 4) Data protection — DLP policies, sensitivity labels, external sharing settings, 5) Endpoint security — Defender for Endpoint enrollment, compliance policies, 6) Compliance — retention policies, eDiscovery readiness, audit log configuration, 7) Secure Score assessment — review Microsoft Secure Score and prioritize recommendations, 8) Remediation report — prioritized findings with risk ratings and fix instructions. EPC Group enterprise audits typically take 2-3 weeks and cover all seven areas.

What is Microsoft Secure Score and how do I use it?

Microsoft Secure Score is a numerical measurement (0-100%) of your organization security posture across Microsoft 365 services. Found in the Microsoft 365 Defender portal (security.microsoft.com), it evaluates identity, data, device, app, and infrastructure security controls. Each recommendation includes points, implementation difficulty, and user impact. Common high-value actions: enabling MFA for all users (+10 points), configuring DLP policies (+5 points), blocking legacy authentication (+9 points). The average enterprise Secure Score is 35-50%. EPC Group targets 75%+ for regulated industry clients. Start by sorting recommendations by "Score impact" and addressing the highest-impact items first.

How often should you audit Microsoft 365 security?

EPC Group recommends: 1) Comprehensive audit — annually, covering all security domains from identity to compliance, 2) Targeted reviews — quarterly, focusing on highest-risk areas (identity, email, external sharing), 3) Continuous monitoring — daily automated alerts for critical security events (impossible travel, mass file downloads, admin role changes), 4) Change-triggered audits — after any major change (new Conditional Access policy, tenant merger, new application integration). For HIPAA, SOC 2, and FedRAMP compliance, annual comprehensive audits are typically mandatory with quarterly evidence collection.

What are the most common Microsoft 365 security gaps?

Based on EPC Group audits across 200+ enterprise tenants, the most common gaps are: 1) MFA not enforced for all users (found in 60% of audits — some users excluded from Conditional Access policies), 2) Legacy authentication not blocked (40% — allows password spray attacks that bypass MFA), 3) No DLP policies for sensitive data (55% — PII, PHI, and financial data shared without controls), 4) Excessive admin accounts (45% — more than 5 Global Admins, many without PIM), 5) External sharing unrestricted (50% — SharePoint and OneDrive allow anonymous sharing), 6) Audit logging not enabled or not retained (35% — default 90-day retention insufficient for compliance), 7) No anti-phishing policy beyond default (65% — default policies miss impersonation and BEC attacks).

How do I review Microsoft 365 audit logs?

Microsoft 365 audit logs are accessed through the Microsoft Purview compliance portal (compliance.microsoft.com) under "Audit." Key steps: 1) Verify audit logging is enabled (it is on by default but can be disabled), 2) Use the search function to query specific activities, date ranges, users, or IP addresses, 3) Common searches: failed sign-ins, admin role assignments, mailbox forwarding rules, file sharing events, DLP policy matches, 4) Export results to CSV for analysis or ingest into a SIEM via the Management Activity API, 5) Standard retention is 90 days (E3), 1 year (E5), or 10 years (with audit retention add-on). For compliance, EPC Group recommends E5 licensing with 10-year retention for regulated industries — 90-day retention is insufficient for most regulatory frameworks.

What should a Microsoft 365 security audit report include?

A complete audit report should include: 1) Executive summary — overall risk rating, Secure Score, top 5 critical findings, 2) Scope — what was audited (tenants, services, user populations), 3) Methodology — tools used, frameworks applied (CIS Benchmarks, NIST), 4) Findings by domain — identity, email, data protection, endpoint, compliance — each with severity (Critical/High/Medium/Low), evidence screenshots, and current vs recommended configuration, 5) Remediation roadmap — prioritized by risk with estimated effort and business impact, 6) Compliance mapping — how findings map to regulatory requirements (HIPAA, SOC 2, CMMC), 7) Appendices — raw Secure Score data, audit log samples, configuration exports. EPC Group audit reports typically run 40-60 pages with an executive summary on page 1.

How do I check if MFA is enforced for all Microsoft 365 users?

Multiple verification methods: 1) Microsoft Entra admin center → Users → Per-user MFA — shows MFA status (Enabled, Enforced, Disabled) for each user, 2) Conditional Access policies → Review all policies requiring MFA — check for exclusions (service accounts, break-glass accounts, or forgotten test accounts), 3) Sign-in logs → Filter for "MFA requirement: Not satisfied" to find users bypassing MFA, 4) PowerShell: Get-MgUser + Get-MgUserAuthenticationMethod to programmatically audit MFA registration, 5) Microsoft Secure Score → "Ensure multifactor authentication is enabled for all users" recommendation shows compliance percentage. EPC Group audits always verify MFA through all five methods because per-user MFA settings, Conditional Access policies, and security defaults can conflict — a user may appear MFA-enabled in one view but excluded in another.

What is the difference between a security audit and a penetration test for Microsoft 365?

A security audit reviews configuration, policies, and compliance against best practices (CIS Benchmarks, Microsoft recommendations). It answers: "Are our settings correct?" A penetration test actively attempts to exploit vulnerabilities — phishing simulation, password spraying, token theft, privilege escalation. It answers: "Can an attacker actually breach us?" Both are necessary: audits catch configuration drift and policy gaps; penetration tests validate whether those gaps are exploitable. EPC Group recommends annual audits with semi-annual penetration tests. The audit identifies what to fix; the penetration test proves why it matters to executives who need business justification for security investments.

Get a Professional Microsoft 365 Security Audit

EPC Group security audits cover all six domains — identity, email, data protection, endpoints, compliance, and audit logs. We deliver a prioritized remediation roadmap aligned with your regulatory requirements and business risk tolerance.

Request Security Audit (888) 381-9725